[DSE-Dev] [martin at martinorr.name: /selinux getattr messages]

Erich Schubert erich at debian.org
Fri Nov 16 16:27:06 UTC 2007 

Hello Robert,
> I testing selinux on my etch/lenny machine, and i prepared patch for
> refpolicy trunk:
> http://wonder.pl/pub/debian/deby/debian-selinux-patches/refpolicy/refpolicy-debian-20071116.patch

Just some notes:
- don't include build.conf in the patch
- try to split the patch into small changes, and send them individually.
That makes review easier, and they go into upstream quicker.

I don't have the time to completely review your patch, so just a few
notes:

refpolicy/policy/modules/admin/alsa.fc:
/var/lib/alsa/asound\.state	gen_context(system_u:object_r:alsa_etc_rw_t,s0)

Make a new context such as alsa_state_t, using *_etc_* outside of /etc
is a misnamer, and you unnecessarily give write access to files in /etc
when you only want to give write access to /var/lib/alsa.
Also you should relabel the directory /var/lib/alsa, this helps getting
the file labeled correctly upon creation already.

refpolicy/policy/modules/apps/mozilla.fc:
/usr/bin/epiphany
shouldn't be labeled mozilla_exec_t, because it's just a wrapper shell
script. The correct binaries to relabel are
  /usr/bin/epiphany-gecko
  /usr/bin/epiphany-webkit
  /usr/bin/epiphany
(for version where there was just the gecko branch)

/etc/gdm - you messed something up there. avoid bin_t there.

refpolicy/policy/modules/services/hal.fc:
also relabel the directory, so the pidfile gets labeled correctly upon
creation.

Again, I didn't go through the whole diff. But on overall, I think
you've been doing a quite good job. You've understood how to fix audit
errors properly and how to use interfaces and macros. I hope that
someone of the active SELinux users will have time to look at your diff
in detail and include some of the changes into the upstream branch.

best regards,
Erich Schubert
-- 
     erich@(vitavonni.de|debian.org)    --    GPG Key ID: 4B3A135C    (o_
 Why waste time learning, when ignorance is instantaneous? --- Calvin //\
     Die eigentliche Aufgabe eines Freundes ist, dir beizustehen,     V_/_
     wenn du im Unrecht bist. Jedermann ist auf deiner Seite, wenn
                   du im Recht bist. --- Mark Twain

More information about the SELinux-devel mailing list